Ivanti Fixes Actively Exploited RCE Flaws in Endpoint Manager Mobile

Ivanti has issued security updates to fix two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) that have been actively exploited in the wild.

The flaws allow unauthenticated attackers to remotely execute arbitrary code on affected systems. 

The vulnerabilities “… could lead to unauthenticated remote code execution. We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” said Ivanti in its disclosure.

Inside the Ivanti EPMM Vulnerabilities

The vulnerabilities pose a risk to organizations that use Ivanti EPMM to manage mobile devices, as the platform plays a central role in identity, network access, and device policy enforcement. 

A successful compromise could give attackers administrative control, access to sensitive device data, and a foothold for lateral movement within the enterprise. 

The two flaws — tracked as CVE-2026-1281 and CVE-2026-1340 — are critical code-injection vulnerabilities. 

Both issues enable unauthenticated remote code execution and carry CVSS scores of 9.8, reflecting their low attack complexity and the absence of required privileges or user interaction. 

In practical terms, this means attackers can remotely exploit exposed EPMM instances with minimal effort while achieving high-impact outcomes.

Ivanti explained that the vulnerabilities affect the In-House Application Distribution and Android File Transfer Configuration features within EPMM. 

Because the attack vector is network-based and does not require authentication, threat actors can target vulnerable appliances directly if they are accessible. 

Ivanti’s disclosure also noted that in prior attacks against EPMM vulnerabilities, attackers commonly deployed web shells or reverse shells to maintain persistence on compromised systems.

Ivanti emphasized that the vulnerabilities are limited to EPMM and do not affect other products in its portfolio, including Ivanti Endpoint Manager (EPM), Ivanti Neurons for MDM, or Ivanti Sentry. 

Given EPMM’s central role in device management and policy enforcement, the potential impact of exploitation remains high for organizations that have not yet applied mitigations.

How to Mitigate Ivanti EPMM Risk

Given the active exploitation of these Ivanti EPMM vulnerabilities, organizations should take immediate and layered steps to reduce exposure and limit potential impact. 

• Apply the appropriate Ivanti version-specific RPM patches and reapply them after any EPMM version upgrades.
• Restrict EPMM access to trusted networks only and remove direct internet exposure using firewall rules and network segmentation.
• Monitor Apache access logs and system activity for indicators of exploitation, including abnormal HTTP responses and unauthorized configuration changes.
• Isolate EPMM appliances from high-value internal systems and limit integrations to reduce lateral movement risk.
• Restore compromised systems from known good backups or rebuild affected appliances, followed by credential resets and certificate rotation.
• Validate and regularly test incident response plans to ensure teams can quickly detect, contain, and recover from appliance-level compromise.

These measures help strengthen defenses around EPMM deployments.

Management Platforms Are Prime Targets

The active exploitation of these Ivanti EPMM flaws underscores how management platforms have become high-value targets due to their privileged access and central role in enterprise environments. 

As attackers continue to focus on vulnerabilities that offer broad control with minimal effort, timely patching, network hardening, and strong response readiness are essential to limiting impact.  

These risks highlight why organizations are adopting zero-trust models that minimize implicit trust and limit access even within trusted management platforms.